NIST 800-53 r5 · Controls catalogue · Family AC
AC-22Publicly Accessible Content
Designate individuals authorized to make information publicly accessible; Train authorized individuals to ensure that publicly accessible information does not contain nonpublic information; Review the proposed content of information prior to posting onto the publicly accessible system to ensure that nonpublic information is not included; and Review the content on the publicly accessible system for nonpublic information {{ insert: param, ac-22_odp }} and remove such information, if discovered.
Last updated: 09 May 2026 03:25 UTC
Implementations targeting this control (0)
- No implementations targeting this control yet.
ATT&CK techniques this control mitigates (0)
- No ATT&CK techniques mapped to this control yet.
Weaknesses this control addresses (8)AI
CWEs ranked by how often they appear in real CVEs. The rationale describes how this control reduces exploitability of each weakness class.
| CWE | Name | CVEs | Why this control addresses it |
|---|---|---|---|
CWE-200 | Exposure of Sensitive Information to an Unauthorized Actor | 10,204 | Review and removal of nonpublic information from publicly accessible systems directly prevents exposure of sensitive data to unauthorized actors. |
CWE-284 | Improper Access Control | 4,832 | Designating authorized individuals and mandating pre/post-publication reviews enforces access controls on who can publish content publicly. |
CWE-285 | Improper Authorization | 1,230 | Authorization checks via training and content reviews ensure only approved information is released to public systems. |
CWE-668 | Exposure of Resource to Wrong Sphere | 779 | The control ensures information resources are not exposed to the incorrect (public) sphere through review and authorization. |
CWE-552 | Files or Directories Accessible to External Parties | 540 | Controls on authorized publication limit files and directories with nonpublic data from becoming accessible to external parties. |
CWE-497 | Exposure of Sensitive System Information to an Unauthorized Control Sphere | 314 | Ongoing reviews detect and remove sensitive system information before it reaches publicly accessible systems. |
CWE-359 | Exposure of Private Personal Information to an Unauthorized Actor | 174 | Preventing nonpublic personal information from public posting reduces unauthorized exposure of private personal data. |
CWE-538 | Insertion of Sensitive Information into Externally-Accessible File or Directory | 84 | Pre- and post-publication reviews prevent insertion of sensitive information into externally-accessible public locations. |
Top CVEs where this control is the strongest mitigation
| CVE | Risk | CVSS | EPSS | Match |
|---|---|---|---|---|
CVE-2025-11749 | 7.1 | 9.8 | 0.8539 | good |
CVE-2024-11396 | 4.3 | 5.3 | 0.5417 | good |
CVE-2024-12008 | 3.1 | 5.3 | 0.3348 | good |
CVE-2025-9209 | 3.1 | 9.8 | 0.1876 | good |
CVE-2025-11693 | 3.0 | 9.8 | 0.1677 | good |
CVE-2025-70841 | 2.0 | 10.0 | 0.0010 | good |
CVE-2020-37082 | 2.0 | 9.8 | 0.0032 | good |
CVE-2026-22237 | 2.0 | 9.8 | 0.0062 | good |
CVE-2025-12539 | 2.0 | 10.0 | 0.0072 | good |
CVE-2025-54863 | 2.0 | 10.0 | 0.0011 | good |
CVE-2026-2144 | 1.6 | 8.1 | 0.0011 | good |
CVE-2024-12330 | 1.6 | 7.5 | 0.0101 | good |
CVE-2025-67223 | 1.5 | 7.5 | 0.0015 | good |
CVE-2024-12274 | 1.5 | 7.5 | 0.0051 | good |
CVE-2025-27604 | 1.5 | 7.5 | 0.0059 | good |
CVE-2024-13562 | 1.5 | 7.5 | 0.0059 | good |
CVE-2024-13606 | 1.5 | 7.5 | 0.0029 | good |
CVE-2024-13568 | 1.5 | 7.5 | 0.0019 | good |
CVE-2024-13611 | 1.5 | 7.5 | 0.0021 | good |
CVE-2026-41278 | 1.5 | 7.5 | 0.0004 | good |
CVE-2026-27877 | 1.3 | 6.5 | 0.0002 | good |
CVE-2024-13638 | 1.2 | 5.9 | 0.0021 | good |
CVE-2026-2025 | 3.2 | 7.5 | 0.2799 | good |
CVE-2024-13609 | 2.2 | 5.9 | 0.1770 | good |
CVE-2019-25709 | 2.0 | 9.8 | 0.0038 | good |